I ran

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

and got

    vulnerable
    this is a test

so I did

    apt-get update
    apt-get install bash

and now I get

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

bash version 4.2.37(1)-release

Edited: Seems like jvreeland has a clearer picture: https://news.ycombinator.com/item?id=8362309

Yeah, I was current yesterday and I'm current today, with both apt-get update and upgrades. Your version number is lower than mine, you must be on either stable or testing.

ii bash 4.3-9 i386 GNU Bourne Again SHell

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable this is a test

From the FAQ:

> Does sid have security updates?

Not in the same sense that stable does. If the maintainer of a package fixes a security bug and uploads the package, it'll go into sid by the normal means. If the maintainer doesn't do that, then it won't. The security team only covers stable (and possibly testing... there's a pending issue for that case).

sid/unstable had a fix uploaded ~3 hrs ago fwiw (after you made your comment).

Only for amd64 though, ctrl+f for "4.3-9.1": http://ftp.debian.org/debian/pool/main/b/bash/

Yep. A current i386 debian is still vulnerable, some hours later. Curses.

Edit: I see that even those who got the patch are in fact still vulnerable.